DLP Strategies for Securing Healthcare Data

A broad theme among DLP users is to get staff to think before they share. For instance, at Texas Health Resources, providers are advised to include the word "secure" in the email subject line, and that email will be encrypted and sent securely, says Chief Security Officer Ron Mehring.

If they don't put that word in the subject line, and the DLP technology detects PHI in the message, the provider is notified that he or she has violated the policy, Mehring says. "They now have to interact with the privacy and security offices to resolve that issue, and now that becomes somewhat of a distraction for them," he says.

Texas Health Resources serves a geographic area of north Texas larger than the state of Maryland. The system includes 25 hospitals (17 of which are acute care), more than 21,100 employees, 5,500 physicians with staff privileges, and 3,800 licensed hospital beds. "We have pretty good service management processes in place where they interact with our overall set of IT processes to resolve those issues, and we try to resolve them pretty quickly so escalation works, but you've got to have a structure around it. DLP can't exist in a vacuum. It's got to integrate real cleanly into your overall IT service management practices."

Don't let technology dictate your goals, Mehring says. "I can't imagine a single shortcut when it comes to DLP," he says. "It's a tough solution. You've got to have the dedicated staff for it. You've got to have the talent, and you've got to have the support."

Smaller organizations can take fewer steps, he says. "Encrypt everything," he says. "Make sure users know not to keep data on devices."

Mehring also challenges the coalescence of DLP standards around vendor-specific solutions. "My challenge to vendors is, 'Why are you making me do that?' " he says. "When vendors do that to us they put us in a box, and it's
not appropriate."

A vendor-independent solution is transport-layer security standards, and they are emerging now. "How do I get a transaction from Point A to Point B in a secure manner, and how do I ensure it's going to the right person?" Mehring asks.